Nokia 6131 NFC URI/URL Spoofing and DoS Advisory
Vulnerability Report
--- BEGIN ADVISORY ---
Manufacturer: Nokia (www.nokia.com)
Device: Nokia 6131 NFC
Firmware: V 05.12, 19-09-07, RM-216
Device Type: mobile phone
OS: Symbian Series40
Subsystem: Near Field Communication
-----------------------------
Executive Summary:
URI/URL Spoofing when displaying the content of a NDEF Smart Poster
and plain URI tag. Web browser does not display full hostname when
loading a web page.
Crash of the parser for various parts of NDEF records, reboots
graphical user interface (GUI) of phone.
-----------------------------
Reporter: Collin Mulliner <collin.mulliner[AT]sit.fraunhofer.de>
-----------------------------
Affiliation: Fraunhofer SIT / MUlliNER.ORG / the trifinite group
-----------------------------
Time line:
Reported to vendor : 27. March 2008
Received ack. : 28. March 2008
Presented at EuSecWest2008 : 21. May 2008
Received further feedback : 04. July 2008
Published to mailing lists : 16. August 2008
-----------------------------
Fix:
The first device without the reported vulnerabilities will be the
Nokia 6212 Classic NFC mobile phone.
-----------------------------
Brief Technical Details:
The Nokia 6131 NFC mobile phone is a mobile phone featuring the Near
Field Communication (NFC) technology (http://www.nfc-forum.org). The
phone has multiple security vulnerabilities in the code that parses and
displays the content of a NDEF Smart Poster and a plain URI tag.
1) NDEF Smart Poster URI Spoofing
The NDEF Smart Poster displays a URI together with a descriptive text.
The URI can be a URL (http,https,ftp,...) or can point to a phone
number (tel:) or to a short message (sms:).
The vulnerability: the phone concatenates the descriptive text and the
URI. The URI might not be displayed if the the descriptive text
already uses the available space to display both information. Further
the descriptive text can contain text that reassembles a URI.
Therefore a user can be tricked into opening/activating a different
URI than he expects. This can lead to monetary damage.
There is no visual indication of which part is text and which part is
the URI.
1.1.1) URL Spoofing
Descriptive text: Bank online with Happy Bank and Trust
https://www.happybankandtrust.com
URI: http://westealallyourmoney.com
User will believe he is accessing https://www.happybankandtrust.com
but he actually will load http://westealallyourmoney.com.
1.1.2) URL Spoofing surviving a quick check
Descriptive text:
http:\\www.nokia.com\r\r\rAddress:\rhttp:\\www.nokia.com\r\r\r\r\r.
URI: http://www.mulliner.org
The user will be see "http://www.nokia.com" in main screen, if he
presses "Show" he will see:
Title:
http://www.nokia.com
Address:
http://www.nokia.com
1.2) Telephone URI Spoofing
Descriptive text:
Tourist Information\r080012345678\r\r\r\r\r\r\r\r\r\r.
URI: tel:19006661666
The user will believe this is a free call but will actually call
1900...
1.3) SMS URI Spoofing
Descriptive text: Get todays weather forecast\r08005551234
URI: sms:33333?body=tone1
The user will believe the SMS is for free but he will actually send a
message to a premium rate number.
2) Plain URI Spoofing
Spoofing using the classic @ method.
URI:
http://wap.somebank.com\wap\login&where=ccinfo@\r\r...\r\r@badguy.net
Notice: some characters are not allowed before the @ these are:
/ and ? the user will probably not notice.
3) NDEF Record Parser Crash
The NDEF Record parser crashes if the record payload length field
contains either 0xFFFFFFFF or 0xFFFFFFFE
The crash will reboot the GUI of the phone. After 4 reboots in a row
the phone will switch off completely (e.g. user constantly trying to
read the tag containing this value).
4) NDEF Tel/SMS Handler Crash
The handler for the sms and tel URI crashes when encountering a
phone number of exactly 124 characters.
Examples:
tel:<124 characters> and sms:<124 characters>
Best guess is a off-by-one bug since shorter numbers work and longer
numbers produce an error message.
The crash will reboot the GUI of the phone. After 4 reboots in a row
the phone will switch off completely (e.g. user constantly trying to
read the tag containing this value).
-----------------------------
More Detailed Information:
More details, slides and tools are available here:
http://www.mulliner.org/nfc/
--- END ADVISORY ---
--
Collin R. Mulliner <collin@xxxxxxxxxxxxxxx>
BETAVERSiON Systems [www.betaversion.net]
info/pgp: finger collin@xxxxxxxxxxxxxxx
Don't ask me! I don't use windoze!